b'                 Security Controls Were Not Adequately\n                   Considered in the Development and\n              Integration Phases of Modernization Systems\n\n                                   August 2005\n\n                       Reference Number: 2005-20-128\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                             DEPARTMENT OF THE TREASURY\n                                                   WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                                     August 26, 2005\n\n\n      MEMORANDUM FOR CHIEF INFORMATION OFFICER\n                     CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n\n\n      FROM:                         Pamela J. Gardiner\n                                    Deputy Inspector General for Audit\n\n      SUBJECT:                      Final Audit Report - Security Controls Were Not Adequately\n                                    Considered in the Development and Integration Phases of\n                                    Modernization Systems (Audit # 200420029)\n\n\n      This report presents the results of our review to evaluate the Internal Revenue Service\xe2\x80\x99s\n      (IRS) process for incorporating computer security controls into modernization systems.\n      Currently, the IRS has a unique opportunity during its systems modernization efforts to\n      develop and integrate adequate security controls effectively and efficiently. Many of its\n      core systems are being rebuilt under the Business Systems Modernization efforts. As\n      such, security controls should be provided during the development phase1 of the\n      Enterprise Life Cycle (ELC)2 and tested during the integration phase.3\n      We judgmentally selected and reviewed the e-Services, Internet Refund Fact of Filing,\n      Modernized e-File, Custodial Accounting Project, and Customer Account Data Engine\n      (CADE) modernization projects. Appendix V provides a description of these systems.\n      In summary, the Mission Assurance and Security Services (MA&SS) organization, the\n      Business Systems Modernization Office (BSMO), and the PRIME contractor4 are\n\n\n      1\n        The development phase includes the analysis, design, acquisition, modification, construction, and testing of the\n      components of a business solution. This phase also includes routine planned maintenance of applications.\n      2\n        The ELC establishes a set of repeatable processes and a system of reviews, checkpoints, and milestones that reduce\n      the risks of system development and ensures alignment with the overall business strategy. All IRS personnel and\n      contractors involved in the modernization effort are required to follow the ELC. See Appendix IV for additional\n      details about the ELC.\n      3\n        The integration phase includes the integration, testing, piloting, and acceptance of a release. Application and\n      technical infrastructure components are tested to determine if they interact properly.\n      4\n        The PRIME contractor is the Computer Sciences Corporation, which heads an alliance of leading technology\n      companies brought together to assist with the IRS\xe2\x80\x99 efforts to modernize its computer systems and related\n      information technology.\n\x0c                                              2\n\nresponsible for incorporating and developing security controls into modernization\nsystems and their coordination is critical to effectively carry out these responsibilities.\nThe MA&SS organization is responsible for establishing security standards for all\nsystems and testing the security controls for new systems. It has a directorate\nspecifically dedicated to ensuring appropriate security controls are developed, tested,\nand implemented for modernization systems. The BSMO is primarily responsible for\nensuring security controls are considered, developed, and integrated in modernization\nsystems. For the systems we reviewed, the BSMO contracted with the PRIME\ncontractor to develop security controls in accordance with IRS standards.\nThe IRS did not adequately consider security controls in the development phase of the\nsystems. We identified several inadequate security controls, many of which could have\nbeen addressed in the development phase of the systems. For example, several\nsecurity configurations do not comply with IRS standards, audit trails are not useable for\nmodernization systems, and disaster recovery plans are not adequate for the systems\nwe reviewed. In addition, documentation required in the development phase provided\nonly general or outdated descriptions of security requirements and controls.\nWaiting until after implementation to address these weaknesses will most likely cost\nsignificantly more than if the issues were considered during the development of the\nsystems. These inadequate security configurations could result in system exploitation\nby unauthorized individuals or personnel. In addition, the lack of disaster recovery\nplanning in the development phase could unnecessarily prolong the recovery from a\nnatural disaster or terrorist attack. Based on the conditions we identified, we believe the\nPRIME contractor primarily focused on delivering systems that would function but did\nnot provide sufficient emphasis to ensure security controls had been developed for the\nsystems. Additionally, the MA&SS organization was not sufficiently involved in the early\ndevelopment stages of the systems we reviewed. More involvement was needed to\nhold the PRIME contractor accountable and to encourage the PRIME contractor to\ndevelop security controls in compliance with IRS security standards when the systems\nwere being developed.\nDuring the integration phase of the ELC, applications must be tested with the technical\ninfrastructure to ensure they interact effectively. The IRS\xe2\x80\x99 testing identified several\nsecurity control weaknesses, but some were not corrected before implementation. For\nexample, the IRS found operating system configurations and file permissions were\ninaccurate on all Microsoft Windows computers for two systems. Although the IRS\nconsidered this weakness to be a moderate risk, it did not take any action to correct the\nweakness prior to implementation. Testing tools used by the IRS were generally\nadequate, but the IRS could use additional free software to identify additional security\ncontrol weaknesses, such as the lack of security patches, before implementing new\nsystems.\nTo ensure security controls that meet IRS security standards are adequately considered\nduring the development of new systems, we recommended the Chief Information Officer\n(CIO) provide oversight to ensure coordination between the BSMO and PRIME\ncontractor. The CIO should revise the ELC to require disaster recovery planning in the\n\x0c                                            3\n\ndevelopment phase of the system life cycle and ensure the CADE audit trail data are\nretained and reviewed to detect unauthorized accesses. The Chief, MA&SS, should\ntake the initiative to participate in the development of new systems and ensure security\ncontrols are built into the new systems. To improve testing, we recommended the\nChief, MA&SS, use additional off-the-shelf security testing tools.\nManagement\xe2\x80\x99s Response: The CIO emphasized that the IRS considers security\ncontrols at all times, even when there are pressures to implement systems. Security\ndesign processes are shared with various internal stakeholders and required life cycle\nartifacts are thoroughly reviewed. Also, IRS integration, deployment, and operational\nprocesses have matured since the audit was conducted. For example, the IRS modified\nthe PRIME contract to include updated security requirements and implemented\nprocesses to measure compliance with IRS security settings during testing.\nThe CIO agreed with four of our five recommendations. The CIO stated the ELC and\nthe PRIME contract have been updated to ensure security controls comply with IRS\nstandards and are considered in the development phase. The ELC will be revised to\ninclude disaster recovery planning in the development phase. The CIO agreed that the\nMA&SS organization should be included in the development phase of new projects. In\naddition, the ELC has been updated to ensure security deliverables are addressed\nthroughout the life cycle. To enhance security testing, the IRS will review internal\nprocesses and determine if additional tools can better check systems controls. The CIO\ndisagreed with our recommendation to retain and review audit trail information on the\nCADE and is not taking any action because the system cannot be accessed externally.\nThe CIO also disagreed that the Security Audit and Analysis System (SAAS), which was\nprocured to collect and review audit trail information for other modernization systems,\nwas not operating. The CIO stated testing in September 2004 validated the SAAS was\nreceiving and processing modernized system audit trail transactions. Management\xe2\x80\x99s\ncomplete response to the draft report is included as Appendix VI.\nOffice of Audit Comments: The IRS made several improvements during our review that\nshould address our conclusions and improve the security of modernization systems.\nIRS updates to the ELC and changes to the PRIME contract are examples of these\nimprovements. We continue to believe that audit trail information for the CADE should\nbe retained and reviewed. The CADE contains tax information for over 1.3 million\nreturns that could be accessed by some IRS employees for unauthorized purposes and\npotentially used for identity theft purposes. Accordingly, audit trail information must be\nmaintained to comply with Department of the Treasury requirements. We do not intend\nto elevate our disagreement to the Department of the Treasury for resolution at this\ntime. However, we do plan a comprehensive review to determine whether audit trails\nfor modernization systems are being retained and reviewed. We will include the CADE\nand the SAAS in this follow-up review.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems\nPrograms), at (202) 622-8510.\n\x0c  Security Controls Were Not Adequately Considered in the Development and Integration\n                           Phases of Modernization Systems\n\n\n\n\n                                                  Table of Contents\n\n\nBackground ............................................................................................... Page 1\nSecurity Controls Need to Be Addressed in the Development Phase ....... Page 3\n         Recommendations 1 through 3:.....................................................Page 8\n         Recommendation 4: .......................................................................Page 9\n\nModernization Systems\xe2\x80\x99 Security Testing Could Be Improved .................. Page 9\n         Recommendation 5: .......................................................................Page 11\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology....................... Page 12\nAppendix II \xe2\x80\x93 Major Contributors to This Report ....................................... Page 14\nAppendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 15\nAppendix IV \xe2\x80\x93 Enterprise Life Cycle Overview .......................................... Page 16\nAppendix V \xe2\x80\x93 Description of Modernization Projects Reviewed ................ Page 19\nAppendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .................... Page 20\n\x0c  Security Controls Were Not Adequately Considered in the Development and Integration\n                           Phases of Modernization Systems\n\n                                 The Internal Revenue Service (IRS) relies on approximately\nBackground\n                                 350 computer systems to process tax information and\n                                 account for over $2 trillion in revenue annually.1 Security\n                                 over these systems is critical to prevent hackers, disgruntled\n                                 employees, and contractors from gaining unauthorized\n                                 access to taxpayers\xe2\x80\x99 sensitive financial information or from\n                                 disrupting computer operations.\n                                 The IRS has many security weaknesses in its computer\n                                 systems that have been difficult and costly to correct. One\n                                 explanation for these weaknesses is that security controls\n                                 were not adequately considered during the development of\n                                 the systems. Many of the IRS\xe2\x80\x99 legacy systems were\n                                 developed before the IRS had implemented a rigorous\n                                 system development methodology.\n                                 Security weaknesses are almost always more difficult and\n                                 costly to correct after systems have been implemented.\n                                 According to the National Institute of Standards and\n                                 Technology (NIST), it costs 30 times as much to fix a defect\n                                 once software is built as it does to identify controls needed\n                                 during requirements gathering.2 In another study, Gartner,\n                                 Inc.3 states if 50 percent of software vulnerabilities were\n                                 removed prior to production for purchased and internally\n                                 developed software, enterprise configuration management\n                                 costs and incident response costs would be reduced by\n                                 75 percent each.4\n                                 The IRS has a unique opportunity during its systems\n                                 modernization efforts to develop security controls more\n                                 effectively and efficiently. Many of its core systems are\n                                 being rebuilt under the Business Systems Modernization\n                                 (BSM) efforts.\n\n\n                                 1\n                                   Financial Audit: IRS\xe2\x80\x99s Fiscal Years 2004 and 2003 Financial\n                                 Statements (GAO-05-103, dated November 2004) and the IRS\xe2\x80\x99\n                                 Inventory of Cyber Assets.\n                                 2\n                                   The Economic Impacts of Inadequate Infrastructure for Software\n                                 Testing, NIST, May 2002. The NIST, under the Department of\n                                 Commerce, develops standards and guidelines for providing adequate\n                                 information security for Federal Government operations and assets.\n                                 3\n                                   Gartner, Inc. is a leading provider of research and analysis on the\n                                 global information technology industry.\n                                 4\n                                   Require Vulnerability Testing During Software Development,\n                                 Gartner, Inc. research document, dated September 10, 2003.\n                                                                                                 Page 1\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                               To ensure modernization projects are developed in a\n                               disciplined manner, the IRS adopted its Enterprise Life\n                               Cycle (ELC).5 The ELC processes are divided into six\n                               phases. Three of these phases (development, integration,\n                               and operations and support) are relevant to incorporating\n                               security controls into each system. We concentrated on the\n                               development and integration phases in this review.\n                               We judgmentally selected and reviewed the e-Services,\n                               Internet Refund Fact of Filing (IRFOF), Modernized e-File\n                               (MeF), Custodial Accounting Project (CAP), and Customer\n                               Account Data Engine (CADE) modernization projects.\n                               Appendix V provides a description of the modernization\n                               systems we reviewed. We tested the security controls of\n                               each system and, if security weaknesses were identified,\n                               determined whether the security control weakness was\n                               considered in the development and integration phases of the\n                               system.\n                               This review was performed at the Business Systems\n                               Modernization Office (BSMO) facilities in\n                               New Carrollton, Maryland; the Martinsburg Computing\n                               Center (MCC)6 in Martinsburg, West Virginia; and the\n                               Austin Campus7 in Austin, Texas, during the period\n                               March 2004 through May 2005. The audit was conducted\n                               in accordance with Government Auditing Standards.\n                               Detailed information on our audit objective, scope, and\n                               methodology is presented in Appendix I. Major\n                               contributors to the report are listed in Appendix II.\n\n\n\n\n                               5\n                                 The ELC establishes a set of repeatable processes and a system of\n                               reviews, checkpoints, and milestones that reduce the risks of system\n                               development and ensures alignment with the overall business strategy.\n                               All IRS personnel and contractors involved in the modernization effort\n                               are required to follow the ELC. Appendix IV provides an overview of\n                               the ELC.\n                               6\n                                 IRS Computing Centers support tax processing and information\n                               management through a data processing and telecommunications\n                               infrastructure.\n                               7\n                                 The campuses are the data processing arm of the IRS. They process\n                               paper and electronic submissions, correct errors, and forward data to the\n                               Computing Centers for analysis and posting to taxpayer accounts.\n                                                                                                Page 2\n\x0c    Security Controls Were Not Adequately Considered in the Development and Integration\n                             Phases of Modernization Systems\n\n                                   The Mission Assurance and Security Services (MA&SS)\nSecurity Controls Need to Be\n                                   organization, the BSMO, and the PRIME contractor8 are\nAddressed in the Development\n                                   responsible for incorporating and developing security\nPhase\n                                   controls into modernization systems, and their coordination\n                                   is critical to carry out these responsibilities. The MA&SS is\n                                   responsible for establishing security standards for all\n                                   systems. It has a directorate specifically dedicated to\n                                   ensuring appropriate security controls are developed, tested,\n                                   and implemented for modernization systems. The BSMO is\n                                   primarily responsible for ensuring security controls are\n                                   considered, developed, and integrated in modernization\n                                   systems. For the systems we reviewed, the BSMO\n                                   contracted with the PRIME contractor to develop security\n                                   controls in accordance with IRS standards.\n                                   We identified several security control weaknesses in the\n                                   modernization systems we reviewed, many of which could\n                                   have been addressed in the development phase of the\n                                   systems. For example, audit trails for modernization\n                                   systems are not functioning and disaster recovery plans are\n                                   not adequate for the systems we reviewed. In addition,\n                                   available documentation indicated a lack of emphasis on\n                                   security controls as it provided only general or outdated\n                                   descriptions of security requirements and controls. Waiting\n                                   until systems are implemented to address security controls\n                                   will most likely cost significantly more than if security\n                                   controls had been considered during the development of the\n                                   systems.\n                                   For the five systems, we concluded the PRIME contractor\n                                   focused on developing systems that would function, but did\n                                   not provide sufficient emphasis on the identification and\n                                   development of security controls. In addition, the MA&SS\n                                   organization was not sufficiently involved during the early\n                                   development stages of the systems. More involvement was\n                                   needed to hold the PRIME contractor accountable and to\n                                   encourage the contractor to develop adequate security\n                                   controls when the systems were being developed.\n\n\n\n                                   8\n                                     The PRIME contractor is the Computer Sciences Corporation, which\n                                   heads an alliance of leading technology companies brought together to\n                                   assist with the IRS\xe2\x80\x99 efforts to modernize its computer systems and\n                                   related information technology.\n                                                                                                  Page 3\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                               In January 2005, the IRS began taking over the role of\n                               systems integrator from the PRIME contractor due to\n                               reductions in funding by Congress for the BSM program\n                               and concerns about the adequacy of the PRIME contractor\xe2\x80\x99s\n                               performance. The BSMO will now be responsible for\n                               program-level activities such as risk management and\n                               requirements management. Contractors will continue to be\n                               used to deliver projects and provide support services.\n                               Security configurations needed to deter unauthorized\n                               activity did not always comply with IRS standards\n                               Several security configurations in the modernization\n                               systems did not comply with IRS standards. In each case,\n                               the configurations should have been addressed in the\n                               development phase of the systems. These inadequate\n                               configurations could result in system security exploitation,\n                               unauthorized access to taxpayer data, and disruption of\n                               computer operations by unauthorized personnel. Some of\n                               the configurations identified are readily exploitable, while\n                               others require specialized knowledge of the application\n                               installed.\n                               Additionally, we noted two instances in which IRS guidance\n                               needs to be improved to increase security. If developers had\n                               followed the guidance provided by the IRS in these two\n                               instances, authentication controls would have been\n                               jeopardized, increasing the opportunities for an\n                               unauthorized person to gain access to the systems. Due to\n                               the sensitive nature of the security weaknesses identified,\n                               we are not disclosing the weaknesses in this report.\n                               However, we provided IRS management with detailed\n                               information of these security weaknesses.\n                               Audit trails needed to detect unauthorized activity are\n                               not operating on modernization systems\n                               The Department of the Treasury requires automated\n                               information systems and networks which process, store, or\n                               transmit sensitive information maintain an audit trail of user\n                               security-relevant events. In addition, the audit trail security\n                               feature should be properly implemented and protected from\n                               modification. The NIST and the Government\n                               Accountability Office also provide guidelines for agencies\n\n\n                                                                                       Page 4\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                               to comply with Federal information systems security\n                               requirements.\n                               Although we did not specifically evaluate audit trail controls\n                               for the systems in our sample, we noted in a prior review9\n                               that a system designed to collect audit trail data from certain\n                               modernization systems (including the e-Services, IRFOF,\n                               and MeF projects in our sample) was not functioning as\n                               intended. Audit trail data were being stored, but users could\n                               not query the information due to software performance and\n                               functionality problems. The IRS accepted the system from\n                               the PRIME contractor even though it was aware that the\n                               system was not functioning. We were advised by BSMO\n                               management during this review that this audit trail system is\n                               still not functioning.\n                               The CADE has its own audit trail. The CADE, which is\n                               eventually expected to replace the IRS\xe2\x80\x99 existing Master File\n                               processing systems,10 was first released in July 2004. As of\n                               April 27, 2005, it had processed 1.3 million Form 1040 EZ11\n                               returns. The audit trail for the CADE is being collected, but\n                               it is destroyed after 1-2 days without being reviewed. We\n                               were advised by the CADE systems programmer that no\n                               IRS manager or employee had expressed a need to review\n                               CADE audit trail data, thus it was not being retained. Audit\n                               trail information should be reviewed frequently to protect\n                               against abuse and to identify abnormal activity by users.\n                               The lack of audit trail functionality on these four\n                               modernization systems prevents management from\n                               identifying and investigating potential unauthorized\n                               accesses to the systems. We cannot comment on the audit\n                               trail capabilities of the CAP because it was cancelled before\n                               being released.\n\n\n\n\n                               9\n                                 The Audit Trail System for Detecting Improper Activities on\n                               Modernized Systems Is Not Functioning (Reference Number\n                               2004-20-135, dated August 2004).\n                               10\n                                  Master File processing systems contain taxpayer account and return\n                               data for individuals, businesses, and employer retirement plans.\n                               11\n                                  Form 1040EZ is the Income Tax Return for Single and Joint Filers\n                               With No Dependents. The initial release of the CADE will not process\n                               Forms 1040EZ for joint filers.\n                                                                                             Page 5\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                               Disaster Recovery Planning was not considered during\n                               the development phase of the systems\n                               The modernization systems we reviewed will reside on\n                               computers at the MCC. The strategy for disaster recovery at\n                               the MCC is to mirror all modernization applications at the\n                               Tennessee Computing Center (TCC) in Memphis,\n                               Tennessee. We noted the following concerns.\n                                    \xe2\x80\xa2   The MCC Disaster Recovery Plan addresses the\n                                        IRFOF system but does not contain steps to fully\n                                        restore the system in the event of a severe disaster.\n                                        The Disaster Recovery Plan does not address the\n                                        other two production systems (e-Services and the\n                                        MeF.) The Disaster Recovery Plan for the CADE\n                                        adequately addressed disaster recovery requirements\n                                        but these requirements were not tested prior to\n                                        implementation.12\n                                    \xe2\x80\xa2   Currently, the TCC cannot support full restoration of\n                                        the modernization systems in the event of a disaster.\n                                        The IRS is designing a Disaster Recovery Plan for\n                                        those modernization systems currently being\n                                        developed, including the e-Services and the MeF.\n                                        The Plan will contain steps for building and\n                                        recovering systems and is scheduled to be completed\n                                        within 2 years.\n                                    \xe2\x80\xa2   IRS guidance requires each site to store a complete\n                                        copy of the Disaster Recovery Plan in both magnetic\n                                        media and hard copy at the off premises storage\n                                        facility for that site. Disaster recovery documents\n                                        for four of the five modernization systems were not\n                                        stored off-site. These documents are necessary to\n                                        provide instructions to employees in the event of a\n                                        disaster.\n                                    \xe2\x80\xa2   Training was not provided for personnel with\n                                        disaster recovery responsibilities. According to the\n                                        Disaster Recovery Training Coordinator for systems\n                                        at the MCC, the Disaster Recovery Team is\n\n                               12\n                                 To Ensure the Customer Account Data Engine\xe2\x80\x99s Success, Prescribed\n                               Management Practices Need to Be Followed (Reference Number\n                               2005-20-005, dated November 2004).\n                                                                                           Page 6\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                                      comprised of system administrators who are\n                                      considered technical experts and, thus, do not need\n                                      training. The NIST requires disaster recovery\n                                      personnel to be trained to the extent that they are\n                                      able to execute their respective recovery procedures\n                                      without aid of the recovery plan.\n                               The lack of disaster recovery planning for modernization\n                               systems could unnecessarily delay the recovery from a\n                               natural disaster or terrorist attack. The ELC does not\n                               require a detailed Disaster Recovery Plan for any of the\n                               phases of the system life cycle. In lieu of a detailed Disaster\n                               Recovery Plan, the ELC does require a contingency plan\n                               that lacks the specific information needed to restore systems\n                               in the event of a disaster.\n                               Available documentation indicated security controls\n                               were not addressed sufficiently during the development\n                               phase\n                               The PRIME contractor is required to prepare several reports\n                               for each system including the Systems Requirements\n                               Report, Security Risk Assessment, Security Plan, Technical\n                               Model View, Physical Technology Model View, and the\n                               Version Description Document (VDD). Collectively, these\n                               reports should document the risks and security controls\n                               relevant to each system so the BSMO, the PRIME\n                               contractor, and the MA&SS organization have a common\n                               understanding of how the system will be developed and\n                               implemented.\n                               We found several reports and plans that contained either\n                               general or outdated security requirements. For example,\n                               one report stated requirements would be conducted in\n                               accordance with the methodology described in an Internal\n                               Revenue Manual section that has been outdated since\n                               January 2002.\n                               The VDD, in particular, should contain the steps needed to\n                               configure and develop the business and security applications\n                               needed for the system to operate. However, the VDDs used\n                               to build the systems did not include the security controls\n                               needed to eliminate the weaknesses we identified.\n\n\n\n                                                                                       Page 7\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                               Recommendations\n                               To ensure security controls that comply with IRS standards\n                               are considered in the development phase of modernization\n                               systems, the Chief Information Officer (CIO) should:\n                               1. Provide oversight to ensure coordination between the\n                                  BSMO and its contractors. Under the new operating\n                                  model, the BSMO should retain the overall\n                                  responsibility for ensuring security controls are provided\n                                  in the development phase of new projects. This\n                                  responsibility will require the BSMO to ensure it is\n                                  properly drafting roles and responsibilities to adequately\n                                  consider security controls during the development phase\n                                  of the ELC.\n                               Management\xe2\x80\x99s Response: The CIO has designated the\n                               Director, Infrastructure Modernization Program Office, to\n                               provide oversight and ensure coordination between the\n                               BSMO and contractors. The CIO stated that, although\n                               adequate controls during the design and development phase\n                               are reflected in the new ELC, additional improvements can\n                               be implemented. In addition, the PRIME contract has been\n                               updated to reflect updated security standards and\n                               requirements.\n                               2. Revise the ELC to require disaster recovery planning in\n                                  the development phase of the system life cycle. A\n                                  complete Disaster Recovery Plan should be required that\n                                  addresses all modernization systems. During\n                                  development, computer capacity and business\n                                  resumption requirements should be gathered and\n                                  considered.\n                               Management\xe2\x80\x99s Response: The Deputy Associate CIO of\n                               Business Integration will include language in the ELC\n                               regarding disaster recovery planning in the development\n                               phase of the system life cycle. In addition, corrective\n                               actions have been provided as part of the Disaster Recovery\n                               Material Weakness Plan to develop disaster recovery plans\n                               for all major systems supporting the IRS\xe2\x80\x99 most critical\n                               business processes and to update resource requirements for\n                               disaster recovery capabilities for major systems.\n                               3. Ensure audit trail data captured for the CADE is retained\n                                  and reviewed to detect unauthorized accesses.\n                                                                                     Page 8\n\x0c    Security Controls Were Not Adequately Considered in the Development and Integration\n                             Phases of Modernization Systems\n\n                                   Management\xe2\x80\x99s Response: The CIO disagreed with this\n                                   recommendation. The log and audit files used by the CADE\n                                   system programmers are established for recovery and\n                                   diagnostic purposes and do not capture data related to\n                                   unauthorized access. Currently, the CADE has no support\n                                   for external data inquiry.\n                                   Office of Audit Comment: We continue to believe that\n                                   audit trail information for the CADE should be retained and\n                                   reviewed. The CADE contains tax information for over\n                                   1.3 million returns that could be accessed by some IRS\n                                   employees for unauthorized purposes and potentially used\n                                   for identity theft purposes. Accordingly, audit trail\n                                   information must be maintained to comply with Department\n                                   of the Treasury requirements.\n                                   The Chief, MA&SS, should:\n                                   4. Ensure the MA&SS organization is included and\n                                      participates in the development phase of new systems\n                                      and ensure security controls are built into the systems.\n                                   Management\xe2\x80\x99s Response: The CIO agreed that the MA&SS\n                                   organization should participate in the development of new\n                                   systems. In addition, the recent update to the ELC ensures\n                                   security deliverables, checkpoints, and milestone exit\n                                   certification requirements are addressed throughout the life\n                                   cycle. The ELC updates will ensure security controls are\n                                   built into the systems.\n                                   During the integration phase of the ELC, systems must be\nModernization Systems\xe2\x80\x99 Security    tested to ensure security controls are adequate and they\nTesting Could Be Improved          interact effectively with the technical infrastructure. This is\n                                   a critical integration phase checkpoint because it is the last\n                                   opportunity to identify security control weaknesses before\n                                   implementation. The MA&SS organization is responsible\n                                   for conducting security testing and identifying security\n                                   weaknesses on new systems.\n                                   The IRS\xe2\x80\x99 security testing identified several security\n                                   weaknesses but not all identified weaknesses were\n                                   corrected. For example, the IRS\xe2\x80\x99 security testing of the\n                                   modernization systems we reviewed identified incorrect\n                                   registry and file permissions on all Microsoft Windows\n                                   computers for two systems. Although the IRS considered\n                                   this weakness to be a moderate risk, it accepted the risks and\n                                                                                           Page 9\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                               did not correct the weakness prior to implementation.\n                               Based on the circumstances at the time, the decision to\n                               implement without correcting the weakness may have been\n                               appropriate. However, addressing the weakness earlier in\n                               development would have precluded the IRS from having to\n                               accept the associated risks and from potentially incurring\n                               additional costs to correct it after implementation.\n                               The IRS\xe2\x80\x99 testing process could also be enhanced. The IRS\n                               limited its testing tools to two products which were\n                               developed to test for compliance with IRS standards. The\n                               IRS believes its testing methodology adequately addresses\n                               security. While we agree the tools used by the IRS are\n                               effective, additional security vulnerabilities could be\n                               identified using additional cost-effective tools. For\n                               example, one free off-the-shelf program evaluates Microsoft\n                               Windows workstations for security vulnerabilities. Using\n                               this program, we found over 63 percent of the IRS\xe2\x80\x99\n                               Microsoft Windows workstations systems were missing at\n                               least 1 critical security patch. The SANS Top 20 Internet\n                               Security Vulnerabilities13 list recommends several additional\n                               security testing tools to assist organizations in identifying\n                               vulnerabilities.\n                               Furthermore, the IRS\xe2\x80\x99 security tests could have been\n                               conducted more efficiently. For example, test commands\n                               for mainframe computers were entered manually into the\n                               system to gather data. Manual entry of commands is a very\n                               time-consuming process and, given the size of the\n                               modernization security database, inefficient and ineffective.\n                               The modernization mainframe computers already have\n                               software installed that could be used to generate test reports\n                               more efficiently.\n\n\n\n\n                               13\n                                 The SANS Top 20 Internet Security Vulnerabilities, dated\n                               October 8, 2004. The SysAdmin, Audit, Network, Security (SANS)\n                               Institute was established in 1989 as a cooperative research and education\n                               organization. It develops and maintains research documents about\n                               various aspects of information security.\n                                                                                              Page 10\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                               Recommendation\n                               To address the testing of security controls for modernization\n                               systems in the integration phase, the Chief, MA&SS,\n                               should:\n                               5. Enhance the Security Test and Evaluation process to\n                                  include the use of additional off-the-shelf security\n                                  testing tools to identify security vulnerabilities. More\n                                  efficient tools that are already available to the IRS for\n                                  generating test reports should also be used.\n                               Management\xe2\x80\x99s Response: The Deputy Director of\n                               Certification, Testing, Evaluation, and Assessment will\n                               review the IRS\xe2\x80\x99 internal process and determine if additional\n                               tools can be used to better check systems controls.\n\n\n\n\n                                                                                      Page 11\n\x0c    Security Controls Were Not Adequately Considered in the Development and Integration\n                             Phases of Modernization Systems\n\n                                                                                                  Appendix I\n\n\n                          Detailed Objective, Scope, and Methodology\n\nThe objective of our review was to evaluate the Internal Revenue Service\xe2\x80\x99s (IRS) process for\nincorporating computer security controls into modernization systems. To accomplish this\nobjective, we:\nI.       Judgmentally selected a sample of three modernization projects that had been\n         implemented (the Internet Refund Fact of Filing,1 e-Services,2 and Modernized e-File3)\n         and two projects being developed (the Customer Account Data Engine4 and the Custodial\n         Accounting Project5). Currently, there are over 21 modernization projects consisting of\n         business projects, infrastructure projects, and data projects. We used a judgmental\n         sample because we were not planning to project the audit results. For the three\n         implemented systems, we used software tools to evaluate operating system security\n         settings for the systems at the Martinsburg Computing Center (MCC). We recorded any\n         security weaknesses found in these systems.\n         A. Obtained and reviewed the most recent Security Test and Evaluation plans and\n            reports and Rational Database Security tests.\n         B. Compared security vulnerabilities identified by the IRS and our audit team and\n            conducted further research to determine whether the problem occurred before or after\n            security testing was conducted.\nII.      If a security vulnerability identified in Step I occurred prior to testing, determined why\n         the vulnerability was not reduced or corrected during the design phase.\n         A. Obtained and reviewed the Systems Requirements Report, Security Risk Assessment,\n            Security Plan, Technical Model View, Physical Technology Model View, and the\n            Version Description Document for the three implemented modernization systems we\n            selected to evaluate the adequacy of the information provided.\n\n\n1\n  A web-based application that provides Form 1040-series taxpayers with refund status via the Internet. The Form\n1040-series involves individual taxpayers.\n2\n  A suite of web-based products that will allow tax professionals and taxpayers to conduct business with the IRS\nelectronically.\n3\n  Provides taxpayers the option to electronically file a U.S. Corporation Income Tax Return (Form 1120),\nU.S. Income Tax Return for an S Corporation (Form 1120S), U.S. Income Tax Return for Certain Political\nOrganizations (Form 1120-POL), Return of Organization Exempt From Income Tax (Form 990), Short Form Return\nof Organization Exempt From Income Tax (Form 990-EZ), and Application for Extension of Time To File an\nExempt Organization Return (Form 8868) through the Internet.\n4\n  An online modernization data infrastructure that will house the authoritative taxpayer account and return data.\n5\n  A single, integrated data repository of taxpayer account information, integrated with the general ledger and\naccessible for management analysis and reporting. The IRS cancelled this project in January 2005.\n                                                                                                        Page 12\n\x0c    Security Controls Were Not Adequately Considered in the Development and Integration\n                             Phases of Modernization Systems\n\n         B. Determined whether the same vulnerabilities existed in the two projects being\n            developed by reviewing applicable documentation and executing tests conducted in\n            Step I.\nIII.     Determined whether audit trails were functioning for the modernization systems we\n         reviewed.\n         A. Followed up on a prior Treasury Inspector General for Tax Administration audit\n            report6 to determine whether actions had been taken to provide audit trail data for\n            modernization systems, including the e-Services, Modernized e-File, and Internet\n            Refund Fact of Filing projects.\n         B. Interviewed MCC officials regarding the availability and use of audit trail data for the\n            Customer Account Data Engine system.\nIV.      Determined whether the modernization systems had adequate contingency plans.\n         A. Evaluated the adequacy of available Disaster Recovery Plans for each system in our\n            sample.\n         B. Ascertained whether disaster recovery training had been provided to responsible\n            officials.\n         C. Determined whether disaster recovery plans were maintained off-site.\n         D. Determined whether disaster recovery requirements were included in the Enterprise\n            Life Cycle.\nV.       Evaluated the effectiveness of IRS security testing. For vulnerabilities identified by the\n         IRS, we determined whether the problems were corrected, waived, or neglected.\n         A. Reviewed the IRS\xe2\x80\x99 processes and controls over security testing.\n         B. Evaluated the testing methodology for the three implemented modernization systems\n            to determine whether the testing was adequate.\n         C. Reviewed the tests to determine whether information was correctly recorded and\n            tested.\n\n\n\n\n6\n The Audit Trail System for Detecting Improper Activities on Modernized Systems Is Not Functioning\n(Reference Number 2004-20-135, dated August 2004).\n\n\n\n                                                                                                     Page 13\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Program)\nStephen Mullins, Director\nThomas Polsfoot, Audit Manager\nCari Fogle, Senior Auditor\nMyron Gulley, Senior Auditor\nMichael Howard, Senior Auditor\nJimmie Johnson, Senior Auditor\nJacqueline Nguyen, Senior Auditor\nMidori Ohno, Senior Auditor\nLarry Reimer, Senior Auditor\n\n\n\n\n                                                                                        Page 14\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                                                                           Appendix III\n\n\n                               Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nAssociate Chief Information Officer, Business Systems Modernization OS:CIO:B\nAssociate Chief Information Officer, Information Technology Services OS:CIO:I\nDirector, Enterprise Operations OS:CIO:I:EO\nActing Director, Regulatory Compliance OS:MA:RC\nActing Director, Strategy, Program Management, and Personnel Security OS:MA:SP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance and Security Services OS:MA\n\n\n\n\n                                                                                 Page 15\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                                                                                     Appendix IV\n\n\n                              Enterprise Life Cycle Overview\n\nThe Enterprise Life Cycle (ELC) defines the processes, products, techniques, roles,\nresponsibilities, policies, procedures, and standards associated with planning, executing, and\nmanaging business change. It includes redesign of business processes; transformation of the\norganization; and development, integration, deployment, and maintenance of the related\ninformation technology applications and infrastructure. Its immediate focus is the Internal\nRevenue Service (IRS) Business Systems Modernization (BSM) program. Both the IRS and its\ncontractors must follow the ELC in developing/acquiring business solutions for modernization\nprojects.\n\nLife-Cycle Processes\n\nThe life-cycle processes of the ELC are divided into six phases, as described below:\n\xe2\x80\xa2      Vision and Strategy - This phase establishes the overall direction and priorities for\n       business change for the enterprise. It also identifies and prioritizes the business or system\n       areas for further analysis.\n\xe2\x80\xa2      Architecture - This phase establishes the concept/vision, requirements, and design for a\n       particular business area or target system. It also defines the releases for the business area\n       or system.\n\xe2\x80\xa2      Development - This phase includes the analysis, design, acquisition, modification,\n       construction, and testing of the components of a business solution. This phase also\n       includes routine planned maintenance of applications.\n\xe2\x80\xa2      Integration - This phase includes the integration, testing, piloting, and acceptance of a\n       release. In this phase, the integration team brings together individual work packages of\n       solution components developed or acquired separately during the Development phase.\n       Application and technical infrastructure components are tested to determine if they\n       interact properly. If appropriate, the team conducts a pilot to ensure all elements of the\n       business solution work together.\n\xe2\x80\xa2      Deployment - This phase includes preparation of a release for deployment and actual\n       deployment of the release to the deployment sites. During this phase, the deployment\n       team puts the solution release into operation at target sites.\n\xe2\x80\xa2      Operations and Support - This phase addresses the ongoing operations and support of\n       the system. It begins after the business processes and system(s) have been installed and\n       have begun performing business functions. It encompasses all of the operations and\n       support processes necessary to deliver the services associated with managing all or part\n       of a computing environment.\n                                                                                            Page 16\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n       The Operations and Support phase includes the scheduled activities, such as planned\n       maintenance, systems backup, and production output, as well as the nonscheduled\n       activities, such as problem resolution and service request delivery, including emergency\n       unplanned maintenance of applications. It also includes the support processes required to\n       keep the system up and running at the contractually specified level.\n\nManagement Processes\n\nBesides the life-cycle processes, the ELC also addresses the various management areas at the\nprocess level. The management areas include:\n\xe2\x80\xa2      IRS Governance and Investment Decision Management - This area is responsible for\n       managing the overall direction of the IRS, determining where to invest, and managing the\n       investments over time.\n\xe2\x80\xa2      Program Management and Project Management - This area is responsible for\n       organizing, planning, directing, and controlling the activities within the program and its\n       subordinate projects to achieve the objectives of the program and deliver the expected\n       business results.\n\xe2\x80\xa2      Architectural Engineering/Development Coordination - This area is responsible for\n       managing the technical aspects of coordination across projects and disciplines, such as\n       managing interfaces, controlling architectural changes, ensuring architectural compliance,\n       maintaining standards, and resolving issues.\n\xe2\x80\xa2      Management Support Processes - This area includes common management processes,\n       such as quality management and configuration management that operate across multiple\n       levels of management.\n\nMilestones\n\nThe ELC establishes a set of repeatable processes and a system of milestones, checkpoints, and\nreviews that reduce the risks of system development, accelerate the delivery of business\nsolutions, and ensure alignment with the overall business strategy. The ELC defines a series of\nmilestones in the life-cycle processes. Milestones provide for \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision points in the\nproject and are sometimes associated with funding approval to proceed. They occur at natural\nbreaks in the process where there is new information regarding costs, benefits, and risks and\nwhere executive authority is necessary for next phase expenditures.\nThere are five milestones during the project life cycle:\n\xe2\x80\xa2      Milestone 1 - Business Vision and Case for Action. In the activities leading up to\n       Milestone 1, executive leadership identifies the direction and priorities for IRS business\n       change. These guide which business areas and system development projects are funded\n       for further analysis. The primary decision at Milestone 1 is to select BSM projects based\n       on both the enterprise-level Vision and Strategy and the enterprise architecture.\n                                                                                           Page 17\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n\xe2\x80\xa2    Milestone 2 - Business Systems Concept and Preliminary Business Case. The\n     activities leading up to Milestone 2 establish the project concept, including requirements\n     and design elements, as a solution for a specific business area or business system. A\n     preliminary business case is also produced. The primary decision at Milestone 2 is to\n     approve the solution/system concept and associated plans for a modernization initiative\n     and to authorize funding for that solution.\n\xe2\x80\xa2    Milestone 3 - Business Systems Design and Baseline Business Case. In the activities\n     leading up to Milestone 3, the major components of the business solution are analyzed\n     and designed. A baseline business case is also produced. The primary decision at\n     Milestone 3 is to accept the logical system design and associated plans and to authorize\n     funding for development, test, and (if chosen) pilot of that solution.\n\xe2\x80\xa2    Milestone 4 - Business Systems Development and Enterprise Deployment Decision.\n     In the activities leading up to Milestone 4, the business solution is built. The Milestone 4\n     activities are separated by two checkpoints. Activities leading up to Milestone 4A\n     involve further requirements definition, production of the system\xe2\x80\x99s physical design, and\n     determination of the applicability of fixed-price contracting to complete system\n     development and deployment. To achieve Milestone 4B, the system is integrated with\n     other business systems and tested, piloted (usually), and prepared for deployment. The\n     primary decision at Milestone 4B is to authorize the release for enterprise-wide\n     deployment and commit the necessary resources.\n\xe2\x80\xa2    Milestone 5 - Business Systems Deployment and Postdeployment Evaluation. In the\n     activities leading up to Milestone 5, the business solution is fully deployed, including\n     delivery of training on use and maintenance. The primary decision at Milestone 5 is to\n     authorize the release of performance-based compensation based on actual, measured\n     performance of the business system.\n\n\n\n\n                                                                                         Page 18\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                                                                                    Appendix V\n\n\n                    Description of Modernization Projects Reviewed\n\ne-Services - The e-Services is a suite of web-based products that will allow tax professionals and\ntaxpayers to do business with the IRS electronically.\n\nThe Internet Refund Fact of Filing (IRFOF) \xe2\x80\x93 The IRFOF is a web-based application that\nprovides Form 1040-series taxpayers with refund status via the Internet. The Form 1040 series\ninvolves individual taxpayers.\n\nModernized e-File (MeF) - The MeF provides taxpayers the option to electronically file a\nU.S. Corporation Income Tax Return (Form 1120), U.S. Income Tax Return for an\nS Corporation (Form 1120S), U.S. Income Tax Return for Certain Political Organizations\n(Form 1120-POL), Return of Organization Exempt From Income Tax (Form 990), Short Form\nReturn of Organization Exempt From Income Tax (Form 990-EZ), and Application for\nExtension of Time To File an Exempt Organization Return (Form 8868) through the Internet.\n\nThe Custodial Accounting Project (CAP) - The CAP will be a single, integrated data\nrepository of taxpayer account information, integrated with the general ledger and accessible for\nmanagement analysis and reporting. The IRS cancelled this project in January 2005.\n\nThe Customer Account Data Engine (CADE) - The CADE is an online modernization data\ninfrastructure that will house the authoritative taxpayer account and return.\n\n\n\n\n                                                                                          Page 19\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n                                                                       Appendix VI\n\n\n                  Management\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                                             Page 20\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n\n\n\n                                                                             Page 21\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n\n\n\n                                                                             Page 22\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n\n\n\n                                                                             Page 23\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n\n\n\n                                                                             Page 24\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n\n\n\n                                                                             Page 25\n\x0cSecurity Controls Were Not Adequately Considered in the Development and Integration\n                         Phases of Modernization Systems\n\n\n\n\n                                                                             Page 26\n\x0c'